users

Fortinet researcher Kai Lu warns of a fake email app that is capable of stealing login credentials from 15 different mobile banking apps for German banks.

android banking malware masquerading

“Once this malicious app is installed and device administrator rights are granted, when the user first launches a targeted banking app the malicious app sends a request via HTTPS to its C2 server to get the payload. The C2 server then responds with a fake customized login webpage, and the malicious app displays this fake customized login screen overlay on top of the legitimate banking app to collect entered banking credentials,” he explains.

“There is a different customized login screen for each bank targeted by this malware.”

The malware hides the icon from the launcher once the malware is up and running, and victims might be tricked into believing that they have somehow failed to install the app.

But, in the background, the malware tries to prevent some 30 different anti-virus mobile apps from launching, collects information about the device (as well as the “installed app” list) and sends it to the C&C server, and waits for further instructions.

It can be made to intercept incoming SMS messages, send out mass text messages, update the targeted app list, set a new password for the device, and more.

At the moment, it does not pop overlays to steal credit card info (e.g. when the Google Play or PayPal app is started), but that can soon change.

The researcher says that to remove the app, victims must first disable the malware’s device administrator rights in Settings > Security > Device administrators > Device Admin > Deactivate, then uninstall the malware via ADB (Android Debug Bridge) by using the command ‘adb uninstall [packagename]’. Tech-unsavvy users might want to ask for help with that last step from friends and family who know how to do that.

Lu also recently analyzed another piece of malware that masquerades as an unnamed German mobile banking app. This one also targets five banks in Austria, as well as Google Play (asks users to input credit card info when they start the app).

This particular malware also comes in the form of a fake Flash Player app, and is after credit card info of users of several popular social media apps (Instagram, Skype, WhatsApp, Facebook, etc.).


Help Net Security

A group of researchers from Princeton University, Karlstad University and KTH Royal Institute of Technology have devised two new correlation attacks that can be leveraged to deanonymize Tor users.

Collectively dubbed DefecTor, the attacks improve the efficacy of existing website fingerprinting attacks through the attacker’s ability to observe DNS traffic from Tor exit relays. The attacks offer great-to-perfect results – the latter mostly when identifying visitors to infrequently visited sites.

DefecTor: DNS-enhanced correlation attacks against Tor users

“It is well understood that low-latency anonymity networks such as Tor cannot protect against so-called global passive adversaries [i.e. those that can monitor both network traffic that enters and exits the network],” says Phillip Winter, a postdoctoral researcher in computer science at Princeton University and one of the group behind this latest research.

DefecTor attacks, on the other hand, can be leveraged by “semi-global” adversaries.

One of the most notable ones is Google, as it operates public DNS servers that observe almost 40% of all DNS requests exiting the Tor network.

“Additionally, Google can monitor some network traffic that is entering the Tor network: for example, via Google Fiber, via guard relays that are occasionally run in Google’s cloud, and formerly via meek app engine, which is now defunct,” Winter explains.

The researchers also found that DNS requests often traverse autonomous systems that the TCP connections made via Tor don’t transit, and this enables them to gain information about Tor users’ traffic.

While Tor developers are already working on implementing techniques to make website fingerprinting attacks harder to execute, there are other actions that can be taken to prevent DefecTor attacks, such as Tor relay operators ensuring that the network maintains more diversity into how exit relays resolve DNS domains.

The researchers added that their paper has yet to be peer reviewed, but if you’re interested in replicating their research, they have provided code, data, and replication instructions here.


Help Net Security

A malware lab in the Cybercrime Center on Microsoft's campus lets members of the company's Digital Crimes Unit work on malicious software in a controlled environment.

One of the biggest security risks for computer users is their web browser. According to Microsoft, 90 percent of phishing emails use the browser to initiate attacks, which can then be used to help attackers establish a beachhead inside a company.

Microsoft is aiming to better protect users and organizations from the threats that they face with a new feature called Windows Defender Application Guard. It's designed to isolate Microsoft Edge from the rest of the files and processes running on a user's computer and prevent computer exploits from taking hold.

[ The essentials for Windows 10 installation: Download the Windows 10 Installation Superguide today. | Stay up on key Microsoft technologies with the Windows Report newsletter. ]

This is a move that could drive greater adoption of Microsoft's browser in the enterprise, at a time when the company is fiercely competing with Google in that space. Security of company assets is a big problem for enterprises, and Microsoft is offering them another way to help protect their users without requiring those users to be security experts.

Here's how it works: when users navigate to untrusted websites in Edge with the feature enabled, Microsoft's browser launches new sessions that run in virtualized containers on their Windows 10 PCs and tablets.

In the event there's malicious code on those sites that tries to deploy on users' machines, it gets deployed into the container, isolated from the operating system and everything else.

When users quit their Edge sessions, the container is destroyed, and the malicious code is supposed to go along with it, thereby protecting users from whatever payload they may have been exposed to.

According to Rob Lefferts, Microsoft's director of program management for Windows Enterprise and Security, the other key thing about the feature is that the container's isolation is enforced using a secure root of trust that runs on the computer's processor itself.  

While Application Guard is a powerful capability, that comes at a cost. Because the container is destroyed whenever a user quits Edge, any cookies or cached items accumulated during that time go with it. In other words, even if users check the "Remember Me" button on a website, they'll have to log back in next time they open Edge. Virtualizing Microsoft's browser will also lead to some loss of performance.

IT administrators will be able to set the service up to whitelist certain trusted sites which will run in a traditional, non-containerized form, so users can get the same sort of browsing experience they're used to from those sites.

Lefferts cautioned that the feature won't be right for every organization, or even every employee.

"It is really [for] environments that want to run locked-down browsers," he said in an interview. "Finance organizations, healthcare organizations, a whole slew of military organizations that I talk to."

Microsoft is still in the process of building the feature, and will be rolling it out to Windows Insiders in the coming months. The company expects Windows Defender Application Guard to be generally available some time in 2017, for organizations that are subscribed to the Windows 10 Enterprise E3 and E5 plans.

That means there are still some questions left unanswered about what Windows 10 Application Guard will mean for users. For example, the company isn't saying yet what sort of impact running Edge in a container will have on its performance.

Lefferts said that the company is still working on getting the performance right, and wants to make both the Edge startup experience and the browsing experience feel good to users.

Looking forward, Microsoft may make the same containerization technology available to other applications, Matt Barlow, the corporate vice president for Windows Marketing, said during a press conference. But right now, the company is working to ship the first version of the feature.

Windows Defender Application Guard is one of a number of security-focused announcements that the company made at its Ignite conference in Atlanta, Georgia on Monday. It also announced that Windows Defender Advanced Threat Protection and Office 365 Advanced Threat Protection will share intelligence across both services to provide IT administrators with an easier way to manage threats.  

The company is also releasing a new Secure Productive Enterprise service, which gives companies an easy way to buy a suite of its advanced security capabilities across Office, Windows and its Enterprise Mobility + Security suite.


InfoWorld Security

Subscribers of UK-based MoDaCo, a forum specialising in smartphone news and reviews, have been unpleasantly surprised by notifications that the site and their account have been compromised.

MoDaCo

But not all subscribers have been notified, and that’s because the alert didn’t come from the site admins, but from the Have I Been Pwnd? service. The service allows users to submit their email address, and notifies them when it’s found in data batches stolen in breaches.

According to the notification, MoDaCo suffered a data breach in January 2016, and the attacker made off with email and IP addresses, and usernames and passwords (stored as salted MD5 hashes) of nearly 880,000 subscribers.

The reason why MoDaCo hasn’t notified users of the breach is still unknown. MoDaCo founder Paul O’Brien promised to post an official statement about the incident later today, and reassured subscribers that all passwords are hashed and salted.

Security researcher Troy Hunt, who runs Have I Been Pwnd?, says that 70 percent of the email addresses exposed in this breach were already contained in data batches from previous breaches of other online services.

“With data that includes email and IP addresses, passwords and usernames, there’s nothing out of the ordinary there,” Mark James, IT Security Specialist at ESET, commented for Help Net Security.

“To be honest data breaches happen all the time, this particular one is causing a bit of a storm on their own forums as the users would like to have received notification from the owners first not through a third party site. Looking through the forum posts many of the users have not used the site for a while and were looking for means to delete their accounts. The problems of course are that when we create usernames and passwords on sites that reflect our current interests if we then move on or stop using those sites it’s sometimes difficult or almost impossible to delete those redundant accounts. This breach apparently happened in January 2016 (that needs to be confirmed officially) but at least the passwords were stored as salted MD5 hashes and not in plaintext.”


Help Net Security

This is not just another "I found a problem in a single IOT device" talk. Focusing on attacking three major consumer product lines that have grown rapidly in the past years, Zack and Erin will review flaws they’ve discovered and weaponized against home Windows installs, DIY security solutions, personal fitness tracking devices, and digital notification devices. We’ll review the security of these popular products and services in a ‘consumer reports’ style walkthrough, the attack methods against the 21 devices reviewed, release some tools for the lulz, and highlight the threats facing similar products. It's time to Fight for the Users. END OF LINE.

Zack Fasel and Erin Jacobs are Partners at Urbane Security, a solutions-focused vendor-neutral information security services firm focusing on providing innovative defense, sophisticated offense and refined compliance services.

Heading up Urbane's Research and Security Services divisions, Zack brings his years of diverse internal and external experience to drive Urbane's technical solutions to organizations top pain points. His previous research and presentations at conferences have spread across numerous domains including Windows authentication flaws, femtocells, open source defensive security solutions, cloud security, and unique network and application attack vectors. When not selling out, he can be found lost in the untz unce wubs, dabbling in instagram food photography, or eating scotch and drinking gummy bears (that's right, right?). More information on Zack can be found by searching for "zfasel" and on Urbane Security at UrbaneSecurity.com.

Leading the charge of Urbane’s Compliance and Enterprise Risk Management divisions, Erin brings her years of executive level experience coupled with deep and diverse technical knowledge to help organizations accurate prioritize and address the security and compliance risks they face. Her prior talks and research have spread across numerous domains, including technical solutions for compliance requirements, OSX reversing, diversity in tech, and IOT. More information on Erin can be found by following @SecBarbie on twitter.

Twitter: @UrbaneSec @zfasel @SecBarbie


DEF CON Announcements!

If you’ve ever registered with ClixSense – and millions have – you can consider all your personal information shared with the service compromised.

ClixSense

The company behind the popular Paid To Click site has been breached, the site (Clixsense.com) made to redirect to a gay porn site, its Microsoft Exchange server and webservers compromised, and an old database server containing users’ information pilfered some ten days ago.

The stolen information includes users’ name, email and IP address, home address, date of birth, sex, account balance, payment history, as well as their password in plaintext.

The company has confirmed the hack for Ars Technica, and had said that they have forced a password reset on all of its 6.6 million registered users.

Users who have reused the same password on other online accounts should change it there also, as well as be on the lookout for convincing phishing attempts by crooks using their stolen information.

It is a very realistic scenario, as the attackers are offering the account records for sale, along with emails exchanged by the company’s employees and the complete source code for the site.

They have released a sample of the stolen data, containing that of early users, as proof.

Unlike previous mega data breaches, this one is not old – the user database has been dumped earlier this month, so all the information contained in it should be up to date.

Of course, it’s possible that some users have entered incorrect information when asked, and given what’s happened, I say good on them.

“It has come to our attention that this hacker did get access to our database server for a short period of time. He was able to gain access to this not directly but instead through an old server we were no longer using that had a connection to our database server. (This server has since been terminated),” Clixsense explained in a post about the incident.

“He was able to copy most if not all of our users table, he ran some SQL code that changed the names on accounts to ‘hacked account’ and deleted many forum posts. He also set user balances to $ 0.00.”

After all that, the company had the nerve to say that the incident “has taught us that regardless of what you do to stay secure, it still may not be enough,” and that users’ “ClixSense account information is now much more secure.”

Nevermind that it should have been secure in the first place… Why was an old server that’s no longer in use still connected to their database server? And, for that matter, why did they store passwords in plain text? None of this inspires much confidence that they will “do” security better in the future.

But none of this matters much to the affected users: much of their personal info has been compromised, and there is no going back.


Help Net Security

Since Microsoft began pushing Windows 10 on consumers and enterprise users, it has consistently worked towards minimizing the choices they can make about the installation.

windows apply individual patches

One of these steps was to make sure that both individual users and enterprise customers could not pick and choose which patches to apply and which to forgo – cumulative patches became the norm. And while enterprises can test the patches before deploying them, home users don’t have that option – the patches and updates are automatically downloaded and installed.

Then, this Monday, Microsoft’s Nathan Mercer announced another change: starting with October 2016, individuals patches will no longer be available for Windows 7 SP, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

“Historically, we have released individual patches for these platforms, which allowed you to be selective with the updates you deployed. This resulted in fragmentation where different PCs could have a different set of updates installed leading to multiple potential problems,” Mercer explains, adding that this rollup (multiple patches rolled together into a single update) model is ultimately better for users.

So, from October onwards, the company will release a single Monthly Rollup that addresses both security issues and reliability issues in a single update, as well as a separate monthly Security-only single update.

“The Monthly Rollup will be published to Windows Update (WU), WSUS, SCCM, and the Microsoft Update Catalog. Each month’s rollup will supersede the previous month’s rollup, so there will always be only one update required for your Windows PCs to get current. i.e. a Monthly Rollup in October 2016 will include all updates for October, while November 2016 will include October and November updates, and so on,” says Mercer.

“Unlike the Monthly Rollup, the Security-only update will only include new security patches that are released for that month. Individual patches will no longer be available. The Security-only update will be available to download and deploy from WSUS, SCCM, and the Microsoft Update Catalog. Windows Update will publish only the Monthly Rollup – the Security-only update will not be published to Windows Update.”

This change will surely not sit well with users who decided to keep using Windows 7 and 8.1 because it allowed them more choice when it comes to (security) updating.

EFF’s Amul Kalia recently pointed out a number of forced changes recently implemented by the company: from deceptive upgrading tactics to collecting usage and telemetry data without offering consumers the option to opt-out of it completely.

“The company needs to acknowledge its missteps and offer real, meaningful opt-outs to the users who want them, preferably in a single unified screen. It also needs to be straightforward in separating security updates from operating system upgrades going forward, and not try to bypass user choice and privacy expectations,” he said. “Otherwise it will face backlash in the form of individual lawsuits, state attorney general investigations, and government investigations.”

Unfortunately, I believe that the threat of backlash will do nothing: Microsoft is banking on the majority of users accepting the changes, a very small minority of them raising a stink, and a minuscule number of users actually doing something about it (either taking Microsoft to court or switching to another OS).

All these changes seem to have been made with a double goal: to consolidate the Windows market, and to create a user base more comfortable with less choice and Microsoft firmly at the driver’s wheel.


Help Net Security

A hacker has breached the official Dota 2 Dev forum and made off with the entire forum database, which contains email addresses, usernames, IP addresses, and salted password hashes of 1,923,972 users.

Dota 2 Dev forum breached

LeakedSource managed to get ahold of the stolen database, and says that the hack happened on July 10th, 2016.

Their analysis revealed that the overwhelming majority of users signed up with their Gmail address, but also that many users used disposable email addresses.

Unfortunately, even though the passwords were hashed and salted, Valve Corporation – the creator of the Defense of the Ancients 2 game and of the breached forum – chose to use the vulnerable MD5 algorithm for the hashing.

LeakedSource says they’ve already managed “convert over 80% of [the hashed and salted passwords] to their plaintext values.”

The breach was confirmed by a forum administrator, who said that a vulnerability in the forum software (vBulletin) was exploited to dump the database, and that it has been patched.

“We have reset the passwords for all forum user accounts,” he informed the users. “If you would like to log in to make a forum post, you’ll need to choose a new password. If you used your forum password for other online services, we recommend you change those passwords as well.”

He also made sure to note that the database relates only to the Dota 2 Dev forums, and that it doesn’t contain any Steam credentials, payment information or any other private information related to the users’ Steam account.


Help Net Security